Policy Steward:

Contents:

PURPOSE:

To protect the safety, security, privacy and property of the University, and the individuals assigned to use University facilities, by controlling access to such facilities.

SCOPE:

This policy applies to all facilities owned, leased by, and/or under the control of The Pennsylvania State University, excluding Hershey Medical Center, the College of Medicine, and the Pennsylvania College of Technology. Likewise, this policy applies to all individuals using these facilities. This includes both employees and non-employees. Protocol for residence and food service facilities access, including student rooms and apartments in University residence facilities, will be governed by the "Housing and Food Services Policies and Procedures for Key/Card Access," and as stated in the Terms, Conditions and Regulations of the Housing and Food Service Contract or Lease.

DEFINITIONS / RESPONSIBILITIES:

Access Control System- An electronic security system that can be activated by an access credential. The system electronically controls locking and unlocking of doors, identifies and records cardholder information, and logs system events.

Access Controls and Electronic Security Programs (A.C.E.S.): A program within the Physical Security Office. A.C.E.S.' mission is "to provide professional security services to The Pennsylvania State University community, consistent with the University’s mission, culture, and resources in order to facilitate a safe and secure campus environment.”

Access Credential Device (ACD)- A University-approved device which identifies an individual to an access control system. Devices may include, but are not limited to, a card, fob, tag, biometric identifier, and any other approved device.

Clearance- A person's approved rights to access a facility.

Key- A traditional metal key or similar device that is used to unlock or lock specific mechanical door locks. For definitions of different key types, refer to Procedure SY2001.

Key Management System (KMS)- A system used to process key requests, maintain a record of each key created, and associate that key to the key holder.

University Access Controller(s)- Representatives from the University Police and Public Safety and the Physical Security Office, jointly responsible for overseeing, advising and enforcing the parameters of this policy and Procedure SY2001.

University Approved Locksmith:

An employee authorized by the University to perform locksmith duties.

Any outside vendor that has been properly retained and authorized by the University to perform the locksmith work needed.

POLICY:

It is the policy of The Pennsylvania State University to preserve an open access environment while properly authorizing building and room access to faculty, staff, students and representatives of organizations having contractual agreements with the University. A key or clearance will only be granted when access to facilities cannot be achieved via established locking and unlocking schedules. Requests for access must follow established authorization protocol, as specified within this policy and related documents. The issuance of a clearance, or possession of a key, does not extend permission of access beyond the assigned area or outside the authorized times of access.

All keys and ACDs referred to in this policy are the property of The Pennsylvania State University and are not to be duplicated by any faculty, staff or student. Duplication of keys and/or ACDs, or the possession of duplicate keys and/or ACDs, will result in referral to the Office of Student Conduct (students) or the Office of Human Resources (all others) for the appropriate sanctions. When appropriate, criminal sanctions under fraud and counterfeiting statutes may also result.

In the event that an individual’s access requirements change, the individual will be required to notify their area Access Coordinator and make the appropriate changes, including the return of their keys/ACDs, and/or changes to their access credential clearances, as applicable. These circumstances can include, but are not limited to: (1) access changes in their current area of employment (2) leaving the University, or (3) accepting employment in a different area of the University. Lost keys/ACDs will be reported to the University Access Controller as defined in Procedure SY2001. Recovery costs will be charged to an individual's department for each lost or unreturned key (including keys to leased properties) and/or access credential devices issued by the University. In addition, recoring costs may also be charged as defined in Procedure SY2001. The Access Coordinator, University Access Controller and responsible budget executive will assess the vulnerability of the area(s) compromised by the lost key/ACD, and determine whether the area(s) need new cores/access devices installed.

Likewise, all non-University personnel that are assigned keys/ACDs are also subject to the recovery costs specified in the preceding paragraph.

NOTE: Replacement of PSU ID and PSUid+ cards are governed by University Policy AD24, "Identification Cards for Faculty/Staff, Students and Affiliates."

All keys subject to this policy shall be labeled with a unique identifier stamped onto the key. The University Key Management System (or equivalent key management system at non-University Park locations) will be used to maintain a record of each key created and identified to its key holder by this unique identifier. No additional key labeling or tagging of any kind is permitted, unless authorized by the University Access Controller.

All clearance requests for keys and ACDs must be approved in accordance with procedure SY2001.

Any core changes, core moves, key cutting or duplications shall be performed only by a University-approved locksmith, and in accordance with Procedure SY2001.

Procedure SY2001, "University Access: Clearances, Keys and Access Devices; Authorization, Issuance and Fees," provides the appropriate detailed information required for complying with the mandates of this policy. SY2001 specifies the fundamental responsibilities and necessary controls required to administer all aspects of University access.

Adherence to this policy is the responsibility of all employees, students and representatives of organizations having contractual agreements with the University. Enforcement of this policy is the responsibility of the University Police and Public Safety. In the event of an emergency, University Police will have the authority to control building access, including locking/unlocking of doors.

Building access will be granted by electronic means if available. Keys will only be issued if access through electronic means is not possible.

STORAGE OF KEYS AND ACDs:

ACCOUNTABILITY:

Access to University facilities is a responsibility that each individual must take seriously. Access privileges may be revoked at the discretion of the University Access Controller, in consultation with the facility Access Coordinator, if the guidelines of this policy are not followed. Faculty, staff, students, and non-University personnel will be subject to additional sanctions and fees, as well.

AUDITS:

Annually, each Access Coordinator shall conduct a "self-audit" by taking inventory of all keys, ACDs, and clearance "issuance records," along with those items physically "on hand," and comparing those counts to the central database records maintained for these items. A written report of the results of this self-audit shall be created, affirming the accuracy of the inventory taken as well as documentation of any discrepancies between the physical count and central database records. This report shall be provided to the University Access Controller.

A random audit of a department’s key/ACD inventory records may be held at any time by the University Access Controller or a Physical Security representative to insure that both inventory and the security of keys and ACDs are being properly maintained.

If there is a change in an area's Access Coordinator, an audit will be performed by the University Access Controller(s) and the in-coming Access Coordinator.

FURTHER INFORMATION:

For questions, additional detail, or to request changes to this policy, please contact University Police & Public Safety.

May 27, 2016- Editorial change in the POLICY section, paragraph 9, to clarify that University Police have building access authority in emergency situations.

Revision History (and effective dates):

March 31, 2014- The policy, formerly SY19, has been completely revised to reflect current access standards, security standards and best practices and moved from the Safety section to the Administrative section, renumbered as policy AD68.

March 16, 2007:

Key Custodian references changed to "Access Coordinator."

Addition of a "Definitions" section.

$20 key replacement fee now also applies to unreturned keys.

Expansion of the necessary "authorizations" in the POLICY ENFORCEMENT section.

Changes in the method of processing requests for keys have necessitated wording changes. The titles of Assistant VP of Physical Plant, and Assistant VP for Auxiliary Services are now Associate VP's. Under the STORAGE section, master keys were added to the requirement of being forwarded to the University Access Controller when returned to the Access Coordinator.

Under AUDITS, added requirement of each Access Coordinator conducting an annual inventory of all key issuance records, physical key inventory and clearances assigned.

Removal of Social Security Number references, per adoption of the PSU-ID number (Policy Guideline ADG03).